-
April 16th, 2004, 03:16 AM
#1
Group Policy Issues
I've been struggling with my new server system this week, now before I go on let me just warn you this is not 'general user' stuff so if you dont understand a word of it thats just fine. Then again I also know we have some real true geeks in the community and I'm hoping one of those might come up with something clever, or hopefully something simple.
The Setup
2x Windows 2003 Standard Edition Servers set as Domain Controllers, Global Catalogue servers and DNS is installed only (not WINS)
2x Windows 2003 Enterprise Edition Servers set as file and application servers - although for the purposes of this problem these might as well not exist.
4x Windows 2003 Enterprise Edition Terminal Servers, in a NLB Cluster.
1st User with "Domain User" and "Remote Desktop" access to the cluster who is also a local Power User for Terminal Server 1
2nd User with "Domain User" and "Remote Desktop" access to the cluster who is also a local administrator for Terminal Server 1
An Organisational Unit in the Domain Tree with 2 Group Policies Objects linked to it.
I placed both users in the OU and if I log in with "1st User" the GP Rules do not get applied. For 2nd User they work perfectly. If I promote User1 to Local Admin then Group Policy Applies perfectly for him too.
I have run GPReslut and get this output
Code:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 16/04/2004 at 08:37:16
RSOP data for ENABLE\template1 on TS1 : Logging Mode
-----------------------------------------------------
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: ENABLE
Roaming Profile: \\enable.local\profile1\Template1
Local Profile: C:\Documents and Settings\template1
Connected over a slow link?: No
USER SETTINGS
--------------
CN=Template 1,OU=Enable Users,DC=enable,DC=local
Last time Group Policy was applied: N/A
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: ENABLE
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Start Menu and TaskBar
Windows/IE settings
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Power Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
As you can see it CLAIMS the GPO's are being applied but they are quit clearly not.
Same results from GPMC.
I have tried this several times and it seems on the terminal services servers only user accounts in the local administrators group can apply the GPO, which seems just ever so slightly completely insane.
Please, someone help me...
-
April 16th, 2004, 06:28 AM
#2
Registered User
For the GP, under Properties>Security check the permissions for "Read" and "Apply", and make sure the said user has them.
Protected by Glock. Don't mess with me!
-
April 16th, 2004, 06:45 AM
#3
Sorry, I should have mentioned I have checked this and Read and Apply is set for Authenticated Users and Everyone. The problem definately seems tied to local rights not domain rights.
-
April 18th, 2004, 12:37 PM
#4
Driver Terrier
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
April 19th, 2004, 03:08 AM
#5
There is nothing inherited except the default policy. Which has no conflicting rules. The really confusing things are
1) GPResult and GPMC both tell me that the policies are being applied and that the required policy settings are comming from the GPO's that I want them to come from. Yet they so very obviously aren't.
2) The policy is enforced properly for Users in the 'local' administrators group so I could work around this issue by placing domain users into local admins and then restricting the users rights with a group policy back to the required level. Seems like insanity.
3) Especially odd, the gpresult output for user 'Template1' is the same if that user is in the local admins group or not. Even though the actual result of the GPO is quite different.
Similar Threads
-
By darrenb in forum Windows NT/2000
Replies: 1
Last Post: January 7th, 2004, 07:35 AM
-
By amp10000 in forum Windows NT/2000
Replies: 3
Last Post: January 24th, 2003, 12:28 PM
-
By MadCow22 in forum Windows NT/2000
Replies: 2
Last Post: June 2nd, 2002, 06:24 PM
-
By Spawn_X in forum Windows NT/2000
Replies: 3
Last Post: January 25th, 2002, 08:09 AM
-
By Spiral in forum Windows NT/2000
Replies: 3
Last Post: August 3rd, 2001, 07:39 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks